Data Networks: Routing, Security, and Performance Optimization ISBN:1555582710 by Tony Kenyon Digital Press © 2002 (807 pages) Provides coverage of routing, security, multicasting, and advanced design topics, as well as strategies for overcoming challenges in network design and management Table of Contents Data Networks—Routing, Security, and Performance Optimization Preface Chapter 1 - A Review of the Basics Addressing, Naming, and Chapter 2 Configuration Chapter 3 - Routing Technology Chapter 4 - Multicast Network Design Designing Secure Chapter 5 Networks Designing Reliable Chapter 6 Networks Chapter 7 - Network Optimization Chapter 8 - Quality of Service Chapter 9 - Network Management Appendix A - Mathematical Review DNS Top Level Domain Appendix B Codes Appendix C - IP Protocol Numbers UDP and TCP Port Appendix D Numbers Multicast and Broadcast Appendix E Addresses Appendix F - EtherType Assignments Example MTTR Appendix G Procedures Index List of Figures List of Tables Back Cover Data Networks builds on the foundation laid in Kenyon’s first book, High Performance Data Network Design, with expanded coverage of routing, tuning, and troubleshooting Kenyon provides strategies for overcoming some of the most challenging problems in network design and management He provides clear, specific solutions for day-to-day problems of network designers and IT managers You'll get optimization advice from an experienced practitioner that you can put to work in your own system As security and network performance become more and more critical to a company's success, the system administrator's job becomes even more difficult Use the principles, tips and techniques Kenyon offers here to enhance and protect the flow of data within your enterprise Covers Addressing, Routing, Multicasting, and Quality of Service (QoS) design for enterprise network design Extensive coverage on relevant Security Technologies and Virtual Private Network (VPN) implementation Provides advanced coverage on Risk Assessment, Availability Analysis, Fault Tolerance, Disaster Recovery, and the Network Optimization About the Author Tony Kenyon is the Chief Technical Officer of Advisor Technologies Ltd (ATL), based in Berkshire, UK ATL develops enterprise security management solutions for multivendor networks Tony was formerly Technical Director for Europe, Middle East, and Africa at Nokia Internet Communications, and has worked in the data communications industry since 1983 He has designed several international communications networks, and has developed a number of modeling tools, including an award-winning graphical object-oriented network design suite He is the author of High-Performance Data Network Design, also published by Digital Press Data NetworksRouting, Security, and Performance Optimization Tony Kenyon Digital Press An imprint of Elsevier Science Amsterdam Boston London New York Oxford Paris San Diego San Francisco Singapore Sydney Tokyo Copyright â 2002 , Elsevier Science (USA) All rights reserved No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher Recognizing the importance of preserving what has been written, Elsevier Science prints its books on acid-free paper whenever possible Library of Congress Cataloging-in-Publication Data Kenyon, Tony, 1960— Data networks: routing, security, and performance optimization / Tony Kenyon p cm Includes bibliographical references and index ISBN 1-55558-271-0 (pbk :alk paper) Routers (Computer networks) 2 Computer networks—Security measures High performance computing I Title TK5105.543 K46 2002 004.6—dc21 2002019364 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library The publisher offers special discounts on bulk orders of this book For information, please contact: Manager of Special Sales Elsevier Science 225 Wildwood Avenue Woburn, MA 01801-2041 Tel: 781-904-2500 Fax: 781-904-2620 For information on all Digital Press publications available, contact our World Wide Web home page at: http://www.digitalpress.com or http://www.bh.com/digitalpress 10 9 8 7 6 5 4 3 2 1 Printed in the United States of America This book is dedicated to my wife Amita, And to our beautiful son Jai Hardly an Indian love poem, but I'm sure She understands About the Author Tony Kenyon is the Chief Technical Officer of Advisor Technologies Ltd (ATL), based in Berkshire, United Kingdom ATL develops enterprise security management solutions for multivendor networks He was formerly Technical Director for Europe, the Middle East, and Africa at Nokia Internet Communications and has worked in the data communications industry since 1983 Tony has designed several international communications networks and has developed a number of modeling tools, including an award-winning graphical object-oriented network design suite For comments to the author he can be reached at Acknowledgments As anybody involved in such a large undertaking will attest, attempting to write such a book without feedback is a recipe for insanity Therefore, I must thank a number of individuals for their time and constructive input on this project For painstakingly reviewing the content and making numerous suggestions I have Brian Hill of Xyplex to thank For reviews and helpful suggestions on security and routing topics I must thank my colleagues Philip Miller, Andrew Namboka, and Bob Brace of Nokia Internet Communications; Alex Challis of Asita Technologies; and Derin Mellor For editing and compiling the final version of this text, I thank Dr Paul Fortier and Gurukumar Anantharama Sarma of the University of Massachusetts, Dartmouth I thank Pam Chester and the folks at Digital Press for affording me the opportunity to bring this project to life Finally, I must thank my wife Amita and my son Jai for their patience and support This book does not reflect the policy or the position of any organization I have worked for No financial support, resources, or direction was obtained from these organizations, and the ideas and opinions presented here (rightly or wrongly) are strictly personal I apologize for any errors I have made that may offend or mislead Please forward any constructive input to my e-mail address or to Digital Press Preface In the developed parts of the world virtually all information-based organizations are underpinned by some form of communications infrastructure, and for many companies the communications network is intimately bound with core business operations For large, multinational companies the annual cost of running such an infrastructure may run into millions of dollars, and the unexpected cost of service outages may be equally as large Good network design and attention to detail are fundamental to providing cost-effective and reliable data networks It is surprising, therefore, that there are very few books that deal with the subject of network design from the ground up, combining the theoretical, practical, and financial issues associated with real design networks Designing modern enterprise networks is now so complex that it cannot be achieved without the use of specialist software tools, and, as with any large problem, it is also beneficial to break down the problem into manageable components There is, fortunately, a natural split in the design process between the delivery of the physical topology (be it a local or wide area network) and the routing and higher-layer services This split mirrors what we find in the field today There seem to be two broad classes of network designer: those who know much about routing and little about topology analysis, and vice versa Unfortunately, knowledge of both is critical in planning and implementing an efficient data network Network design must be approached holistically, from the ground up; otherwise, the result is typically a suboptimal network, with substantial reengineering costs due to inappropriate assumptions made during the design phase Since this is such a huge topic, I have divided my treatment into two books In this book we discover how to deliver an optimized logical topology—covering the addressing, routing, and security issues required for delivering enterprise services, and how such networks should be tuned for performance, availability, and maintainability The first book (High-Performance Data Network Design) deals with the design techniques required to deliver an optimized physical topology The book covers the design process from initiation, capacity planning, backbone and access design, and performance modeling, to the various LAN, MAN, and WAN switching technologies required to deliver a basic network infrastructure My objective in starting this project was to unite a number of apparently disparate areas of network design and to provide a balance of theoretical and practical information that practicing engineers would find useful in their day-to-day job Since network design often receives very fragmented coverage, this book is an attempt to bring together those pieces so that they may be seen in context In particular, the key issues in designing network addressing schemes are discussed, including how to design using the latest routing protocols, how to optimize performance using the latest technologies, how to build fault-tolerant and resilient networks within budget, how to assess and quantify risk in order to deploy security technologies appropriate for each network, how to deploy Virtual Private Networks (VPNs), understanding the latest developments in Quality of Service (QoS), and, finally, how to manage and maintain networks I started this project in an environment where the goalposts are far from static The speed of change in information technology is simply staggering: Within the last 20 years we have seen a massive shift from large, centralized, host-centric networks to a situation where most of today's computing power reside on desktops With processing power growing exponentially, and memory prices declining every year, we are now witnessing another paradigm shift toward an era of mobile personal computing We have seen the emergence of distributed architectures, multimedia, and the explosive growth of the Internet and the World Wide Web (WWW), each forcing the development of new protocols and new applications Network security has become a real force for change in recent years, with massive growth in the firewall market and completely new models of secure networking, such as the Public Key Infrastructure (PKI) and VPNs Businesses are now demanding quality-of-service guarantees and information privacy, and there is increasing emphasis on Service-Level Agreements (SLAs) With overall improvements in the communications infrastructure we have also seen a significant increase in voice communications, new applications for packetized Voice over IP (VoIP), and the unification of both text and audio messaging systems Finally, there are radical changes afoot in the field of user interfaces, including the take-up of voice recognition, text to audio translation, and the use of biometrics In all areas of technology the boundaries are blurring between local and wide area networks, data and voice, wired and wireless All of these technologies are now being provisioned via a new breed of highly integrated hybrid devices with built-in routing, switching, bandwidth management, and security services In a very short space of time every home will have Internet access via smart, integrated digital terminals There has already been a massive shift in the adoption of mobile wireless computing and Internet access via a new generation of data-aware mobile phones Over the next few years we will see the adoption of Javaenabled telephony, with high-resolution color displays capable of running more powerful applications This, together with the use of more intuitive user interfaces and voice recognition, will truly mobilize the face of personal computing We can only guess what changes the next two decades will bring Figure 5.16: The shaded area represents the scope of authentication for IPSec transport and tunnel mode using either the AH or the ESP protocol Figure 5.17: AH header format Figure 5.18: ESP header and trailer Figure 5.19: Phase 1 and Phase 2 IKE and IPSec SA negotiations Figure 5.20: Simple end-to-end security using a host IPSec stack only Note that IPorg is the original IP header; IPtun is the new IP header created in IPSec tunnel mode Figure 5.21: Basic VPN security using gateway IPSec stacks between two intranets Note that IPorg is the original IP header; IPtun is the new IP header created in IPSec tunnel mode Figure 5.22: Remote access Figure 5.23: End-to-end security Both gateways and hosts support IPSec Figure 5.24: Alternative locations for VPN termination in cooperation with a firewall and router Figure 5.25: VPN termination between two trusted sites The firewall and router must be configured to accept any VPN tunneling or keymanagement protocols Chapter 6: Designing Reliable Networks Figure 6.1: Cost of unavailability in a fictitious call center Figure 6.2: Failure analysis of a simple nonresilient design Figure 6.3: Point-to-point network in series Figure 6.4: Point-to-point network in parallel Figure 6.5: Topological fault tolerance (a) Bus or multidrop, (b) Tree, (c) Partial mesh, (d) Full mesh, (e) Star Figure 6.6: (a) Traditional leased-line star topology (b) Leased-line star topology, supplemented by dial-up links (c) Twin star topology with leased lines Figure 6.7: (a) Partial mesh leased line network (b) Fully meshed leased line network Figure 6.8: Logical routing topology where both multilink and multipath load sharing are employed Figure 6.9: Resilient connections into a switched cloud via dual connections to different PoPs Figure 6.10: Topological resilience in LAN backbones (a) Self-healing fiber ring backbone (e.g., FDDI, Token Ring), (b) Meshed-switched backbone (e.g., FDDI, Fast Ethernet, Gigabit Ethernet, ATM) Figure 6.11: Basic redundant link configurations (a) A simple star configuration requiring four physical cables to provide link resilience but having a single point of failure at hub H1 (b) An improved configuration with only three cables and no single point of failure Figure 6.12: User workstation wired back to two communications rooms using a dual port transceiver connected to different floor outlets Figure 6.13: General architecture for servers in (a) fault-tolerant mode and (b) clustered high-availability (HA) mode Figure 6.14: VRRP packet format Figure 6.15: VRRP configuration with resilience for highspeed server farm Figure 6.16: VRRP configuration with LAN and WAN interfaces Figure 6.17: Fault-tolerant backbone design Figure 6.18: Total resilience in a building environment Figure 6.19: First floor conceptual wiring plan at New York XChange-A, Floor 1 Chapter 7: Network Optimization Figure 7.1: Policy implementation using SAP packet filtering Figure 7.2: Token bucket scheme Figure 7.3: A classification of queuing disciplines Figure 7.4: Enhanced FIFO queuing Figure 7.5: Priority queuing Figure 7.6: Custom queuing Figure 7.7: The effects of an applied CBQ class to a Web-browsing application In (a) the traffic is unconstrained and has regular bursts above 50 Mbps, affecting other services In (b) the traffic class applied limits the maximum available bandwidth to 40 Mbps Figure 7.8: (a) Local proxy configuration (b) Remote proxy configuration Figure 7.9: VRRP configuration with load sharing and resilience for a server farm Figure 7.10: Deterministic flow hashing using two monster switches Figure 7.11: Deterministic flow hashing Figure 7.12: Distributing flows using hashing techniques Here, four flows (A, B, C, and D) are fed into the cluster (a) An autocratic model, where a master (MI) is elected and performs flow distribution at the ingress port (b) A democratic model, where each node is aware of the flow states being handled by other members of the cluster Figure 7.13: Web browsing and FTP file requests without caching (1) The Web browser issues an HTTP request for a Uniform Resource Locator (URL), which refers to a specific Web page on a particular server (also known as an HTTP server or origin server) attached to the Internet (2) The request is forwarded to the server through standard IP routing (3) The HTTP Content Server returns content to the Web browser one file at a time (which typically comprises a sequence of large packets) Figure 7.14: Web and FTP transactions with caching Figure 7.15: Cache deployment options Note that cache locations are highlighted with a C (1) Cache server acting as a default gateway (2) Layer 4 switches can route requests for cacheable data (HTTP, NNTP, etc.) to the cache server while forwarding all other requests to the Internet (3) Web Cache Control Protocol (WCCP) implemented in a Cisco IOS-based router Port 80 (HTTP) requests are routed to the cache servers, while other requests are routed to the Internet (4) In front of a Web farm to reduce load on content servers (5) At an ISP Point of Presence (PoP) to serve requests locally (6) At an aggregation point at the edge of the Internet to reduce bandwidth requirements Figure 7.16: (a) Network Attached Storage (NAS), and (b) Storage Attached Network (SAN) topologies Chapter 8: Quality of Service Figure 8.1: Flow identification Here we see two flows highlighted amidst background traffic Figure 8.2: Integrated services model for a host and a route Figure 8.3: IPv4 and IPv6 QoS-related fields Figure 8.4: Router backbone, with some routers supporting MPLS Figure 8.5: Label-switched forwarding table Figure 8.6: IS model for a host and a router Figure 8.7: (a) RSVP common header (b) RSVP object header Figure 8.8: Path reservation message format (b) Resv message format Figure 8.9: RSVP path definition process Figure 8.10: RSVP Resv message flow Figure 8.11: RSVP behavior with multicast flows Figure 8.12: The DS byte format Figure 8.13: DS traffic conditioner Figure 8.14: Pieces of the QoS jigsaw puzzle in context Figure 8.15: The transit (backbone) network is running DiffServ for scalability and ease of deployment RSVP is run on the stub (access) networks between the edge routers and the backbone routers Chapter 9: Network Management Figure 9.1: A typical Graphical User Interface (GUI) showing a network map Figure 9.2: Basic SNMP architecture Figure 9.3: MIB tree hierarchy Figure 9.4: Example GetRequest for 1.3.6.1.2.1.1.1.1.1.1.1.1.0 Figure 9.5: Basic SNMP protocol stack and object interaction Figure 9.6: OSI management structure Figure 9.7: Nokia's Voyager HTTP interface for firewall configuration management Figure 9.8: HP++ SNMP browser tool An example showing the Get primitive being configured for MIB-II Figure 9.9: Simple one-tier centralized management, with three remote subnets connected via 64-Kbps links Figure 9.10: Manager-of-Manager (MoM) concepts offering a hierarchical and distributed management design Figure 9.11: Traceroute recording example Figure 9.12: A PC-based network analyzer, showing detailed protocol decoding of a TCP/IP frame over an Ethernet interface Figure 9.13: Policy management deployment List of Tables Chapter 2: Addressing, Naming, and Configuration Table 2.1: Classes A through E: Address Ranges and Configuration Data Table 2.2: Examples of Well-known Multicast Group Addresses Table 2.3: Class C Address Allocation Table 2.4: IP class B subnet configuration Subnet addresses that are OK to use are indicated in the final column Addresses that have been excluded are either subnet broadcasts or host broadcast/my addresses Table 2.5: IP class C subnet configuration Subnet addresses that are OK to use are indicated in the final column Addresses that have been excluded are either subnet broadcasts or host broadcast/my addresses Chapter 3: Routing Technology Table 3.1: Classification of Routing Protocols Table 3.2: Comparison of IGP Features Chapter 5: Designing Secure Networks Table 5.1: Well-known Port Numbers for UDP and TCP Services Table 5.2: Various Security Solutions and Their Features Chapter 6: Designing Reliable Networks Table 6.1: Average Downtime Costs by Industry Type and Operation (Source: Dataquest— Perspective, September 30, 1996) Table 6.2: Quick Analysis of Major Points of Failure and Their Immediate Effects on the Example Network in Figure 6.2 Table 6.3: ALE Analysis of Major Points of Failure Table 6.4: Availability Expressed as a Percentage Off Uptime (Hours = H, Minutes = M, Seconds = S, Milliseconds = MS) Table 6.5: Example MTBFs for Real Network Devices Chapter 7: Network Optimization Table 7.1: Optimization Techniques and Their Benefits Chapter 8: Quality of Service Table 8.1: Typical Flow-Oriented Traffic From the Types of Data That Normally Do Not Qualify as a Flow Table 8.2: QoS Features Supported by Leading Networking Vendors Table 8.3: Recommended Use of Token Ring User Priority Table 8.4: RSVP Reservation Attributes and Styles Chapter 9: Network Management Table 9.1: Comparison of Secure SNMP and SNMPv2 Performance, Measured in SNMP Primitives Per Second (Tests Conducted at Carnegie Mellon University, Pittsburgh, PA) ... He is the author of High -Performance Data Network Design, also published by Digital Press Data Networks Routing, Security, and Performance Optimization Tony Kenyon Digital Press An imprint of Elsevier Science Amsterdam Boston London New York Oxford Paris San Diego... Library of Congress Cataloging-in-Publication Data Kenyon, Tony, 1960— Data networks: routing, security, and performance optimization / Tony Kenyon p cm Includes bibliographical references and index ISBN 1-55558-271-0 (pbk... topology—covering the addressing, routing, and security issues required for delivering enterprise services, and how such networks should be tuned for performance, availability, and maintainability The first book (High -Performance Data Network Design) deals with the design